1805091 – After replacing openshift-ingress certificate not able to access jenkins

Bug 1805091 - After replacing openshift-ingress certificate not able to access jenkins

Summary: After replacing openshift-ingress certificate not able to access jenkins

Keywords:
Status:	CLOSED DUPLICATE of bug 1804345
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Jenkins
Sub Component:
Version:	4.3.z
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	4.5.0
Assignee:	Vibhav Bobade
QA Contact:	XiuJuan Wang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-02-20 08:44 UTC by mmariyan
Modified:	2023-10-06 19:14 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-03-18 22:28:09 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description mmariyan 2020-02-20 08:44:22 UTC

Description of problem:

After the default router certificate replaced except jenkins UI can accesible all the routes like prometheus,console ..etc

The jenkins route succsfully redirect to oauth and when again redirect to jenkins we are getting error.


Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:

1) apply private ingress certificates ( **not publicly issued certs )  by following https://docs.openshift.com/container-platform/4.2/authentication/certificates/replacing-default-ingress-certificate.html

2) deploy jenkins or try to access already deployed jenkins.

result: Jenkins UI not accessible 

Actual results:

not able to access jenkins UI

Expected results:
it should accessible jenkins UI

Additional info:

Comment 2 Vibhav Bobade 2020-02-24 12:21:25 UTC

 Hello mmariyan,

Can you confirm that this bug is the same as https://bugzilla.redhat.com/show_bug.cgi?id=1804345
If so, we can mark this as a clone and track it in one single place.

Comment 3 Vibhav Bobade 2020-02-28 03:44:45 UTC

Hello mmariyan,

Currently Jenkins does not support customCA explicitly, but to make it easier I am working on a feature for the Login Plugin it should make things easier.
Please consider the blow as a workaround.

The new feature should be able to add the certificate directly to the default JVM TrustStore.

1> Get the default keyStore.

oc rsync jenkins-1-8zbx2:/etc/pki/java ./custom-java

2> Add certificate to keystore

sudo keytool -keystore ./custom-java/cacerts -import -alias custom-ingress -file ./example.crt

3> Create a ConfigMap from the custom keystore

oc create configmap jenkins-custom-keystore --from-file=./custom-java/cacerts

4> Edit DeploymentConfig for using the custom Keystore with the following changes.

spec:
  template:
    spec:
      containers:
      - env:
        - name: JAVA_TOOL_OPTIONS
          value: "-XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -Dsun.zip.disableMemoryMapping=true -Djavax.net.ssl.trustStore=/etc/pki/java/cacerts"
        volumeMounts: 
        - mountPath: /etc/pki/java/cacerts
          name: jenkins-custom-keystore
      volumes:
      - name: jenkins-custom-keystore
        configMap:
          name: jenkins-custom-keystore

Hope this helps,

Regards

Comment 4 Akram Ben Aissi 2020-03-18 22:28:09 UTC


*** This bug has been marked as a duplicate of bug 1804345 ***

Comment 5 Red Hat Bugzilla 2023-09-14 05:52:55 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days

Note You need to log in before you can comment on or make changes to this bug.